b'  UNITED STATES DEPARTMENT OF AGRICULTURE\n\n        OFFICE OF INSPECTOR GENERAL\n\n\n\nSTATEMENT OF THE HONORABLE PHYLLIS K. FONG\n\n             INSPECTOR GENERAL\n\n\n\n                     Before the\n\n       Subcommittee on Department Operations,\n              Oversight, and Credit\n\n              Committee on Agriculture\n\n            U.S. House of Representatives\n\n                 December 1, 2011\n\x0cGood morning, Mr. Chairman, Ranking Member Fudge, and Members of the Subcommittee. I\nam joined by Gil Harden, the Assistant Inspector General for Audit and Karen Ellis, the\nAssistant Inspector General for Investigations. Thank you for the opportunity to update the\nSubcommittee on the Office of Inspector General\xe2\x80\x99s (OIG) work on preventing fraud in the\nSupplemental Nutrition Assistance Program (SNAP) and reviewing the Department\xe2\x80\x99s\ninformation technology (IT) programs for compliance with all applicable laws and regulations.\n\nDatabase Analysis to Reduce SNAP Fraud\n\nAs part of our ongoing efforts to help minimize fraud, waste, and abuse within SNAP, OIG is\nperforming a series of audits analyzing 10 States\xe2\x80\x99 participant databases.1 These databases store\ncritical information which helps identify ineligible participants who are receiving benefits.\nDetecting and investigating program violations is one of the State agencies\xe2\x80\x99 primary responsibilities.\nState agencies are required to check their information against Federal and State databases to ensure,\nfor example, that people using deceased individuals\xe2\x80\x99 social security numbers (SSN) do not receive\nbenefits, or that their submitted income is the same as is listed in official records. If applicants do\nnot meet eligibility requirements at the time of application or on a recurring 6 to 12 month basis,\nState agencies are required to disqualify them. Doing so ensures that taxpayer dollars go to those\nwho are truly in need.\n\nTo monitor State agencies\xe2\x80\x99 progress in identifying and preventing improper payments, we\nchecked several of these databases ourselves. We have completed work in two States\xe2\x80\x94Kansas\nand Florida\xe2\x80\x94and found a total of 3,572 recipients who were receiving potential improper\npayments: 2\n\n    \xe2\x80\xa2   878 recipients were either deceased or using the SSNs of deceased individuals. 3 State\n        agencies did not investigate individuals using the SSNs of deceased persons due to a\n        backlog stemming from increased participation in SNAP in recent years, as well as a\n        system crash. Additionally, some recipients received benefits because State agencies\n        only checked State death records, which do not identify deceased participants who died in\n\n1\n  The 10 States are Alabama, Florida, Kansas, Louisiana, Massachusetts, Mississippi, Missouri, New Jersey, New\nYork, and Texas.\n2\n  Kansas: 883; Florida: 2,689.\n3\n  Kansas: 71; Florida: 807.\n\n                                                       1\n\x0c        a different State, instead of checking against the required national Social Security\n        Administration database.\n\n\n    \xe2\x80\xa2   160 active participants were previously disqualified from receiving SNAP benefits. 4 One\n        of the most basic ways to protect against SNAP fraud is to prevent intentional program\n        violators from reenrolling, but FNS does not require States to check FNS\xe2\x80\x99 database of\n        disqualified participants before admitting them into SNAP. 5 We found that because of\n        this policy, in Florida alone, 160 participants who had previously been disqualified in\n        other States were actively receiving SNAP benefits.\n\n\n    \xe2\x80\xa2   973 participants received dual benefits simultaneously from another State for\n        3 consecutive months. 6 Of these, 165 were enrolled in both States for 6 months or\n        longer 7\xe2\x80\x94and 1 was a dual participant for a year and a half. 8 This occurred because, at\n        present, FNS does not have a nationwide database of participant data. Instead, the States,\n        at their own discretion, utilize an optional, multi-State system, which results in significant\n        gaps in coverage. For example, even though Florida utilizes this system, it did not know\n        that 370 SNAP participants were simultaneously receiving benefits in Alabama because\n        Alabama does not participate in the system, and thus the system does not contain\n        Alabama\xe2\x80\x99s data.\n\n    \xe2\x80\xa2   1,555 individuals had invalid SSNs.9 The States did not always check their own\n        databases for anomalies, which increased the risk of improper payments to individuals\n        with invalid SSNs. Agencies attributed most of these errors to data entry errors or\n        incorrect SSNs provided by participants. With potentially incorrect information, it is\n        difficult for States to determine which participants may be intentionally manipulating the\n        system.\n\n\n\n4\n  Florida: 160.\n5\n  FNS uses a database known as the Electronic Disqualified Recipient System (eDRS).\n6\n  Kansas: 90; Florida: 883.\n7\n  Kansas: 58; Florida: 107.\n8\n  Kansas: 1.\n9\n  Kansas: 720; Florida: 835.\n\n                                                       2\n\x0c       \xe2\x80\xa2   6 individuals were receiving dual benefits under two separate accounts. 10 State agencies\n           determined that a rare IT system issue created dual records, but were unable to diagnose\n           the cause.\n\nParticipants in Kansas receive on average $124.40 in benefits a month, while participants in\nFlorida receive an average of $141.40 a month. We estimate that these 3,572 recipients could be\nreceiving a total of $490,070 a month. 11\n\nDatabases provide some of the most comprehensive and robust information for fraud detection.\nHowever, we found that because State agencies do not fully utilize them\xe2\x80\x94even when they are\nrequired to do so\xe2\x80\x94they may continue to issue SNAP payments to those who are not entitled to\nreceive the benefit.\n\nTaken within the context of SNAP as a whole, our findings to date do not represent large\nmonetary sums, but they do show areas where FNS and the States could make progress in\nreducing potential improper payments. Moreover, as FNS strives to bring its rate of improper\npayments below 3 percent, it will need to make use of data analysis as a straightforward way of\nidentifying payments that should not be made. OIG is in the process of completing similar data\nanalysis audits in another eight States.\n\nIn our reports, we have recommended that FNS require the Florida and Kansas agencies to\nensure they use a national database to perform death matches and SSN verifications, and that\nthey perform checks to make sure information is entered correctly. We also recommended the\nState agencies review the individuals we identified and recover improper payments, as\nappropriate. Generally, FNS agreed. To prevent interstate dual participation, the agency is in\nthe process of implementing regional databases. FNS also encourages States to check for\ninterstate dual participation by using the optional national database, but notes that some States\nfeel the information in this database is not timely. FNS has not yet provided timelines to\n\n\n\n\n10\n     Kansas 2: Florida: 4.\n11\n     $109,845 in Kansas; $380,225 in Florida.\n\n                                                   3\n\x0cimplement checks for dual enrollment, which we require to reach agreement on management\xe2\x80\x99s\ndecision for corrective action. 12\n\nAdditionally, we have found that FNS needs to take measures to ensure that other information\nused in fraud detection efforts is accurate and reliable. In one audit, we found that the files used\nto back up FNS\xe2\x80\x99 Anti-Fraud Locator Electronic Benefit Transfer (EBT) Retail Transaction\nsystem, which stores the data from EBT transactions, were incomplete and disorganized, which\ncould hinder fraud detection efforts. As a result of our audit, FNS has agreed to strengthen\nsystem controls, including system redesigns and upgrades by June 2012. 13\n\nOIG Investigations of the Illegal Trade in SNAP Benefits\n\n\nJust as there are individuals willing to misrepresent themselves to receive benefits, so there are\nindividuals and retailers who illegally exchange food benefits for cash or other commodities.\nFor example, by giving a recipient $50 in cash for $100 in benefits, an unscrupulous retailer can\nmake a significant profit; recipients, of course, are then able to spend the cash however they like.\nIn some cases, recipients have exchanged benefits for drugs, weapons, and other contraband.\nNot only does this illegal exchange interfere with FNS\xe2\x80\x99 ability to efficiently use its resources to\nfeed hungry families, but it undermines the goal of providing nutritional and wholesome food to\nthose in need.\n\nIn FY 2011, OIG devoted about 46 percent of its investigative resources to SNAP-related\ncriminal investigations. In that year, our investigations resulted in 179 convictions and monetary\nresults totaling $26.5 million. In recent months, OIG has concluded a number of SNAP\ninvestigations, including the following:\n\n     \xe2\x80\xa2   A judge recently ordered a Brooklyn store owner to serve 2 years in jail and pay\n         $1.4 million in restitution for defrauding SNAP. From September 2007 to\n         September 2009, OIG agents exchanged a total of $2,664 in SNAP benefits for $1,875 in\n         cash in a series of transactions demonstrating that the owner was in the habit of trafficking\n\n12\n   Audit Report 27002-0002-13, \xe2\x80\x9cAnalysis of Florida\xe2\x80\x99s SNAP Eligibility Data\xe2\x80\x9d (November 29, 2011) and Audit\nReport 27002-0001-13, \xe2\x80\x9cAnalysis of Kansas\xe2\x80\x99 SNAP Eligibility Data\xe2\x80\x9d (November 23, 2011).\n13\n   Audit Report 27002-0001-DA, \xe2\x80\x9cAnalysis of Supplemental Nutrition Assistance Program ALERT Database\xe2\x80\x9d\n(November 22, 2011).\n\n                                                      4\n\x0c    in SNAP benefits. Subsequent investigation and analysis of financial data demonstrated\n    that the store\xe2\x80\x99s fraudulent SNAP transactions amounted to approximately $1.4 million.\n    In 2009, the store owner and her son were charged with conspiracy to commit SNAP\n    trafficking. The store owner pled guilty and was sentenced to 24 months\xe2\x80\x99 imprisonment\n    and ordered with her son to pay restitution of approximately $1.4 million and forfeiture in\n    the amount of $105,524. The owner\xe2\x80\x99s son fled, but he was apprehended in Florida in\n    July 2010. He pled guilty in December 2010, and in June 2011, was sentenced to\n    15 months\xe2\x80\x99 imprisonment.\n\n\xe2\x80\xa2   After being deported from the United States for food stamp fraud in the 1990s, one\n    criminal illegally re-entered the country in 2000 and resumed EBT fraud. With the\n    assistance of an accountant, this individual opened several stores using other individuals\xe2\x80\x99\n    names. The false owners of these stores signed their names on FNS documents to obtain\n    authorization to accept SNAP benefits, but the subject, his wife, and his brother actually\n    operated these stores. Subsequently, an OIG investigation resulted in the subject and his\n    brother being charged with fraud. In June 2011, the owner was sentenced to 57 months\n    of incarceration, 3 years of probation, and restitution of $1.7 million, and will again be\n    subject to deportation. His brother was sentenced in May 2011 to 21 months of\n    incarceration, 12 months\xe2\x80\x99 probation, and restitution totaling $362,764. Court actions are\n    pending against the store owner\xe2\x80\x99s wife.\n\n\xe2\x80\xa2   In Cincinnati, a 2-year joint criminal investigation led by OIG disclosed that the owner,\n    manager, and employees of two SNAP-authorized retailers exchanged SNAP benefits for\n    firearms, cash, stolen tobacco products, narcotics, and drug paraphernalia. In April 2011,\n    two store employees, who were brothers, were sentenced to 51 months\xe2\x80\x99 incarceration\n    followed by 3 years\xe2\x80\x99 supervised release, and were ordered to pay fines. Their mother was\n    sentenced in May 2011 to time served, 6 months\xe2\x80\x99 home confinement, and 3 years\xe2\x80\x99\n    supervised release after agents found EBT cards in her purse while searching for\n    evidence involving her sons\xe2\x80\x99 illegal SNAP trafficking. Their father was sentenced to\n    probation in September 2011 after he pled guilty to SNAP fraud and receipt of stolen\n    property. One of the store owners and a manager are scheduled to be tried criminally\n    later this year for illegal use of SNAP benefits.\n\n                                              5\n\x0cOIG continues to work with FNS to develop new ways of detecting and investigating retailers at\nhigh risk of committing such fraud. In particular, we are engaged in ongoing discussions with\nFNS to identify ways to leverage resources with State and local partners so that they may better\naddress fraud involving both retailers and recipients.\n\nImproving USDA\xe2\x80\x99s IT Systems\n\nOIG continues to provide oversight to ensure that the Department efficiently and effectively\nutilizes the funds it was provided to update its IT infrastructure. In FY 2010, the Office of the\nChief Information Officer\xe2\x80\x99s (OCIO) baseline budget was increased from $17 million to\n$61 million for security improvements within the Department. Anticipating a total of\n$64 million in FY 2011, USDA pursued a total of 14 projects that year, including network\nmonitoring and establishing a 24/7 security operations center. However, in April 2011, the\npassage of a final continuing resolution resulted in a decrease in overall appropriations available\nfor the remainder of FY 2011. OCIO received a total of $40 million for FY 2011\xe2\x80\x94$23 million\nmore than in FY 2009, but $24 million less than what it anticipated. OIG is in the process of\ndetermining how OCIO used the additional funding it received, and if the additional funding\nresulted in improved security. We can state, based on our work to date, that the 14 projects\ninitiated with this additional funding appear to have been significantly curtailed or delayed. In\none example, with a decreased budget, USDA halted work by contractors to implement a\n$3.6 million software package. With the project not yet operational, and without access to the\nadministrator account, the Department effectively found itself unable to use the software tool.\n\nApart from this ongoing audit, OIG routinely monitors the state of IT security at USDA. Each\nyear, we conduct our mandated review of the Department\xe2\x80\x99s compliance with the Federal\nInformation Security Management Act (FISMA). Bringing USDA\xe2\x80\x99s IT infrastructure into full\ncompliance with all applicable laws and regulations is a formidable challenge, as the Department\nincludes 33 agencies, most with their own IT infrastructure, and operates a total of 257 discrete\nIT systems. In FY 2011, USDA spent a total of $2.5 billion on IT-related expenses to maintain,\nupgrade, operate, or replace these systems.\n\nThe Department requires this infrastructure to process and manage the vast amounts of\ninformation needed to deliver benefits and services to the American public. However,\n\n                                                 6\n\x0coverseeing such a diverse array of technology presents problems for any organization, and\nUSDA is no exception. Since 2009, OIG has made 43 recommendations, including 10 from\nFY 2011, intended to help the Department remedy longstanding deficiencies in its IT security.\nThough the Department has closed only 6 of these 43 recommendations, it continues to work on\nresolutions for the remaining open recommendations.\n\nAs part of our FY 2011 FISMA review, OIG noted that OCIO has tended to attempt too many\nIT projects at the same time, which has resulted in USDA not meeting its project milestones.\nGiven OCIO\xe2\x80\x99s tendency to disperse its efforts over a wide field\xe2\x80\x94and thereby dilute their\neffect\xe2\x80\x94we have recommended that OCIO prioritize its work on a few projects, and focus on\ncompleting those projects. To some extent, OCIO has responded. For example, in response to\nissues we reported previously, the Department installed a cyber security incident detection\ntoolkit this year\xe2\x80\x94this system should help USDA detect and respond to intrusions in its data\nsystems. With appropriate resources, the Department can analyze up to 150 alerts to potential\ncyber attacks per week. OCIO, however, faced a decrease in its budget for this project, and was\nforced to reduce the personnel it relied on to perform this work. Now, it analyzes about 15 alerts\nweekly. 14\n\nOIG also has issued a number of recent reports dealing with IT problems in the Department,\nseveral of them dealing with contractors. Federal IT projects have historically involved\ncontractors, but USDA has not always adequately overseen the contracts it relies on to fulfill its\nIT requirements. For instance, our audit of USDA\xe2\x80\x99s Domain Name System (DNS) revealed that\nOCIO needs to improve how it oversees the contractors who operate this critical system, which\nroutes internet traffic through the network. 15 Like any other distributed computing system,\nUSDA\xe2\x80\x99s system is susceptible to platform-, software-, and network-level vulnerabilities. OIG\nreviewed the Department\xe2\x80\x99s management and security controls to protect the integrity, validity,\nand availability of the information that travels across USDA\xe2\x80\x99s network. We found that OCIO\nhas not always been diligent in ensuring that the management and security over DNS was\n\n\n14\n   Audit Report 50501-0002-12, \xe2\x80\x9cU.S. Department of Agriculture, Office of the Chief Information Officer, Fiscal\nYear 2011 Federal Information Security Management Act\xe2\x80\x9d (November 15, 2011).\n15\n   DNS is a data communication mechanism that translates Internet Protocol addresses into easy-to-understand\nwebsite names, allowing users to navigate using a website name such as www.ocio.usda.gov rather than a series of\nnumbers such as 192.168.200.100.\n\n                                                        7\n\x0cadequate. Ultimately, these types of problems leave the Department open to cyber attacks and\nthe potential destruction or theft of valuable and private data. 16\n\nUSDA, like other Federal agencies and private companies, is also facing challenges concerning\nintegrating new technologies in a way that furthers the Department\xe2\x80\x99s mission while also meeting\nthe most rigorous IT security requirements. The Department\xe2\x80\x99s employees are increasingly\nreliant on smart phones or other wireless handheld devices, but these powerful devices bring\nwith them new security problems related to their portability. OIG reviewed 277 of USDA\xe2\x80\x99s\napproximately 10,000 wireless handheld devices, and found that all of these 277 devices were\nnot adequately secured, as defined by guidance issued by the National Institute of Standards and\nTechnology. For example, we found wireless handheld devices that were not password-\nprotected, had no anti-virus software installed, and were not configured to encrypt removable\nmedia. We also found that all 22 of the Department\xe2\x80\x99s Blackberry servers were not secured in\naccordance with Departmental guidance, which allowed users to disable their passwords or\nbypass the Department\xe2\x80\x99s internet content filters. Ultimately, these problems occurred because\nOCIO took a decentralized approach to deploying these devices (allowing individual agencies to\nselect and deploy smart phones) without providing clear guidance and oversight on how to\nconfigure and secure them, which resulted in inconsistencies. 17 OCIO accepted our\nrecommendations.\n\nConclusion\n\nThis concludes our written statement. I want to again thank the Chair and the Subcommittee for\nthe opportunity to testify today. We welcome any questions you may have.\n\n\n\n\n16\n  Audit Report 50501-0001-12, \xe2\x80\x9cFast Report \xe2\x80\x93 Critical Domain Name Systems (DNS) Servers\xe2\x80\x9d (April 15, 2011).\n17\n  Audit Report 50501-0001-IT, \xe2\x80\x9cUSDA\xe2\x80\x99s Management and Security Over Wireless Handheld Devices\xe2\x80\x9d (August 15,\n2011).\n\n                                                    8\n\x0c'